Potential Recon Activity Via Nltest.EXE

Severity: medium
Author: Craig Young, oscd.community, Georg Lauenstein
Source: upstream

Detects nltest commands that can be used for information discovery

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1016` System Network Configuration Discovery, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_nltest`

or:
Image|endswith: '\nltest.exe'
OriginalFileName: nltestrk.exe

Stage 2: `all of selection_recon`

or:
CommandLine|contains: query
CommandLine|contains: server
CommandLine|contains: '/user'
CommandLine|contains: all_trusts
CommandLine|contains: 'dclist:'
CommandLine|contains: 'dnsgetdc:'
CommandLine|contains: domain_trusts
CommandLine|contains: 'dsgetdc:'
CommandLine|contains: parentdomain
CommandLine|contains: trusted_domains

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/user` `all_trusts` `dclist:` `dnsgetdc:` `domain_trusts` `dsgetdc:` `parentdomain` `query` corpus 6 (sigma 6) `server` `trusted_domains`
`Image`	ends_with	`\nltest.exe` corpus 9 (sigma 9)
`OriginalFileName`	eq	`nltestrk.exe` corpus 2 (sigma 2)